On 3/29/07, tg-php@xxxxxxxxxxxxxxxxxxxxxx <tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Not bad. Seems to work nicely. No "OMGWTF!" obvious slips like naming the MP3 with the digits the user needs to enter. Worked fine in Firefox 1.5 too. Sometimes when audio is embedded in a page, it tries to load Windows Media Player or something which doesn't always work well in Firefox without some tweaking. But your implementation worked fine without any weirdness. Now.. on to the criticism. Keeping in mind, you're welcome to use whatever you want to use and exercises like this are always good for the practice and experience if anything else. Also, some of this is my opinion which you're welcome to ignore. 1. My biggest fear when relying on an audio CAPTCHA system is if the users doesn't have sound. No speakers, or can't play stuff at the office or something like that. I keep my system muted at work unless I'm playing music because some websites have dumb little flash things that make sounds and I don't feel like explaining what I'm surfing to my coworkers constantly. And just out of a general courtesy to them not to create undue distractions in the office. 2. What you've created is a relatively simplistic audio captcha that HAS to be really succeptible to speech recognition. Spammers have gotten used to visual CAPTHCA so maybe they're not going to focus too much on detecting and breaking audio CAPTCHA, but that still comes down to "security through obscurity" which isn't a good practice. Here's some open source Linux-based speech recognition software that could be used to turn your audio into the proper digits: http://freespeech.sourceforge.net/ http://cmusphinx.sourceforge.net/html/cmusphinx.php Once they had the software set up. Then they just have to fake the "Speak Key" submit and grab the "tmp/access.mp3?##########" out of phone.php (submitting proper cookie/session data) and that's it. In the couple minutes I took to search for some examples, I found some interesting links: PWNtcha - http://sam.zoy.org/pwntcha/ - CAPTCHA defeating project. Focused on image captcha, but they give examples of different systems and which ones are hard and which ones are easy to break. WARNING: One of the images used is NSFW, but it's kind of subtle. I didn't notice it at first. So make sure nobody's looking over your shoulder first lookover. It's more than 1/2way down the page and I think the rest of the data on the page is worth the risk. W3C's recommendations for alternatives to visual CAPTCHA/turing tests: http://www.w3.org/TR/turingtest/ And because you can't do anything on the internet without bumping into adult material. Don't worry, this is safe... no pics or bad words, just an article about using porn sites to break visual CAPTCHA. The spambots would take your visual CAPTCHA images and post it to their site which offers users free porn if they pass the CAPTCHA. And there's no lack of people wanting free porn so sounds like it was fairly effective: http://www.boingboing.net/2004/01/27/solving_and_creating.html It's definitely an interesting field. I think using the common sense techniques you (tedd) have used combined with a better CAPTCHA method, you could actually create something fairly user friendly and secure. My vote is still for asking a person to identify images. A bot is going to have a hard time identifying a pig that's photo'd from an odd angle and maybe colored blue instead of a standard pig-color. Oh wait.. someone's working on breaking that kind of CAPTCHA too. Again using regular humans. Apparently The ESP Game is based on the concept of breaking this kind of CAPTCHA. Post the images and have people fill in key words that help classify the image. So that blue pig might end up in a database labeled as "blue" and "pig" and "farm" or something anyway. http://www.espgame.org/ There's no winning. hah -TG
You're maybe on the right path, adding images as the background makes it really hard to read the code from the image. You could for example use random images as background. But i have to say that breaking something isn't needed always, re-using a human passed protection is a way to break through a lot of things. For example, i would go to the page and save the number that the CAPTCHA passed to my session. Then i would write down the code that i need to enter. So, next time i need to pass, i set the session value to the one i got first time, and i enter same code. Works for most CAPTCHA programs :) Didn't test it out on your audio CAPTCHA yet, but you really should care about a timeout for the session variable used. We didn't see your script yet, so i don't know what extra security you added. But it's good to have these things in mind. Tijnema
= = = Original message = = = Hi gang: If you people would be so kind as to review this: http://sperling.com/examples/captcha/ and tell me what you think (ease of use, if it works, security, etc.), I would appreciate it. The point is to be able to get to the "Congratulations" page by hearing and entering the key. If you can get there some other way or defeat the process, I sure would like to know about it. I've tested this with a couple of dozen blind users and they find no problems with it. Now, I'll like to test it for the sighted. It's mixture of a several languages, but there is php in it, so I guess it's on topic. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
